Sorry Doug....didn't mean to infer that Remedy considered that a security model...just that most PEOPLE do....much like the person who started this thread...they thought that the form being hidden meant it was secure...thus my term 'through Obscurity'....it's a common misconception in the Remedy world.
-----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Mueller, Doug Sent: Tuesday, June 22, 2010 1:53 PM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Folks, I just want to be clear here... There is no "Security through Obscurity" concept in the AR System. Permissions control security. You can specify that users either do or do not have access. You can do this at the form level, at the field level, at the row level. If a user does not have access, they cannot see the form/field/row that they don't have access to. No exceptions. No special cases. No difference between clients or custom programs or in any way accessing the system. If there is no permission, they cannot see it. If there is no permission, that item does not exist. In fact, if the user tries to access it by giving a direct URL or by calling it from the API or whatever, they will get an error that says "No such object" or "No matching row". They will not get a "it is there but no access" message. They will be told that it doesn't exist. There has never been a situation where customers without access to a form, field, or row has gotten access to that item. Now, we come to a control capability that we have to allow control over the "visible" vs. "not visible" in a list of forms list property. That is to specify something is visible vs. hidden. This is NOT security. Security is saying the user has or does not have access not whether once they have access, the NAME is visible or hidden. If a user has access, they are allowed to see the form and see the data on the form and access the form and read records and whatever it is from the form. The only thing visible/hidden controls is whether it shows up on the form list you can select from or not by default. Yes, a customer can access a hidden form. That is exactly as planned and it is exactly as your security has specified. You have given that user access. So, they can access the form. If you don't want them to have access to that form, don't give them access to it. Then, they cannot open it no matter what. If they pull data from it in workflow, then they need access to the data. They are pulling data from it so you have given them access. If you don't want them to have access but want data from it, use the Service action of workflow to send the request to the server where the filters run with Admin rights to get data so you can have the user have NO access to the form but use filters to get the data as Administrator and using the Service call get that data back to the client for display on the screen. So, you would have access to the data without every exposing access to the form that contained the data. But, then you would set security to NOT allow access to the form at all for the user and then the user could never open the form or see it or even know it exists unless you gave them the name but then they still couldn't do anything with that name. It is important that you don't mix security -- allowing access -- with the concept of whether you have selected to hide the name of a form by not showing it in the forms list -- visible/hidden capability. There is no implementation of security through obscurity in the system as far as accessing forms or fields or data rows. There is allowing you to hide things so it is not confusing for users to see forms that are not useful to them to open directly. This is true in many applications, there are backend forms to which you need access but to which you are never expected to open directly. So, you need permission, but you don't want them shown in something to pick from. This is an assistance to the user not a security feature. I hope this helps clarify things and helps differentiate between two features that just happen to be set in the same place -- access right -- this is security -- visible/hidden capability on things you have access to -- a UI feature Doug Mueller -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Tuesday, June 22, 2010 12:30 PM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Yup....security through obscurity is not a good security model. If they should have access to the data, there is no issue with them being able to get to it...if not, change the permissions. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Boyd, Rebecca E. Sent: Tuesday, June 22, 2010 12:38 PM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question If they know the form name, they still can get to it by creating an artask as described below or by using the following syntax: http://<server name>:8080/arsys/forms/<server name>/<Form Name> -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Chuck Sent: Tuesday, June 22, 2010 2:11 PM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Object list is a Normal Remedy Form, maybe you can go in and customize the form... On Jun 22, 12:55 pm, "Boyd, Rebecca E." <boy...@wfu.edu> wrote: > "Security by Obscurity" is exactly the term my people used. > > For example, one of my support staff users, not an admin, located > SYS:Status Transition Rules and was able to modify it. > > BMC said if I modified these forms in any way I risked breaking > something else. > > I find myself in a bit of a predicament. My people say "fix it" and BMC > says "don't change it." > > > > -----Original Message----- > From: Action Request System discussion list(ARSList) > > [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing > Sent: Tuesday, June 22, 2010 1:10 PM > To: arsl...@arslist.org > Subject: Re: 7.5 Mid Tier Object List Question > > Rebecca, > This is a security model I have often referred to as 'Security through > Obscurity'....which is obviously not security at all....putting a tarp > over > something sitting in an open field doesn't mean someone can't get to > it....just that they can't see it without first pulling the tarp > off....same > thing with hiding fields on a form...they can always still pull a report > on > the field and get its contents, the only way they can't get its contents > is > if they don't have access to it via permissions....your security people > MAY > have a right to be upset...if the data in question shouldn't be made > available to the users. Now....don't confuse access to the form with > access > to the row/field...you can have access to a form, but if you have row > level > access setup to restrict access to all records except those they should > have > access to, then there is no issue.... > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Boyd, Rebecca E. > Sent: Tuesday, June 22, 2010 9:47 AM > To: arsl...@arslist.org > Subject: Re: 7.5 Mid Tier Object List Question > > When some of my users discovered they could see - & in some cases modify > - lots of forms using the API interface, they raised a concern. My > security people are not happy. This is what BMC sent me from internal KB > 20021753: > > ================ > > The User form has Public hidden permission. > While using the User tool, a user without Administrator access cannot > open the User form. > When using the Web tool, the user can open the form. > > Is this a bug or do we need to build workflow to prevent users from > accessing User form on the web? > > ================ > > The web behavior is not a bug, is normal. > > Permission and Visibility are two different things (although we tend to > club them together): > > Permission: Whether a User can access an object or not / pull up data > from it or not. > Visibility: Whether a User can see the object in the Object List or not. > > For example if a Form has Public-Hidden permissions details attached to > it. > This means they can pull up data from it / open it but it won't be > visible in the Object List. > If you use the Mid-Tier object list, you will find that it too shows the > same behavior as the User Tool object list. > > Q. But is it possible to open up forms in User Tool like Mid-Tier which > have public hidden permissions? > > A. Well actually you can. Here are the steps > > 1) Open up the Object List in User Tool. > 2) Right click any form name and select "Create Shortcut" > "Search > Form" > 3) Save the task file somewhere. > 4) Open the ARTask file in notepad > 5) Change the Name = <Form Name> to the form name you want to open > example Name = User > 6) Save and Double Click to open the form. > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Kemes, Lisa > Sent: Tuesday, June 22, 2010 11:26 AM > To: arsl...@arslist.org > Subject: Re: 7.5 Mid Tier Object List Question > > Looks like the original post did not come through which I was referring > to. > > Amanda Pierce asked (back in Jan of 2010): > > I have imported the Mid Tier Object List form/workflow, when I log in as > a regular user with restricted permissions I can see ALL forms even if I > don't have permission to view them i.e AR System forms. > > Is there any way to restrict the visibility of these forms the same way > the client does based on Permission Visible/Hidden? > > Lisa > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Kemes, Lisa > Sent: Tuesday, June 22, 2010 11:24 AM > To: arsl...@arslist.org > Subject: Re: 7.5 Mid Tier Object List Question > > Has anyone been able to figure this out? Looks like the only forms that > show up on this list is the ones with Public Permissions. We want it to > act just like the Object List on the client (where the customer can only > see the forms that they have access to). > > Also, is there an easier way for the midtier customer to get to the > object list other than an entry link or adding a button on every single > form that takes them to the MidTier Object List Form? > > We enabled the "Enable Object List" setting on the Midtier > configuration, but it appears that enabling on the MidTier server is > sort of an error trap. > The MidTier will bring up the Object List if a bad URL is entered. > > I can't get this to work even if I try to use a "bad URL" (whatever that > is!) > > I really hope this is one thing that gets taken care of in MT 8.0! > > Thanks! > > Lisa > > Midtier 7.5 p4 > ARS 7.1 p7 > Oracle 10g > > -- > View this message in context:http://ars-action-request-system.1093659.n2.nabble.com/7-5-Mid-Tier- Obje > ct-List-Question-tp4469645p5209293.html > Sent from the ARS (Action Request System) mailing list archive at > Nabble.com. > > ________________________________________________________________________ > _______ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.orgattend wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ________________________________________________________________________ > _______ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ________________________________________________________________________ > ____ > ___ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ________________________________________________________________________ > _______ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ___________________________________________________________________________ ____ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are"- Hide quoted text - > > - Show quoted text - ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
